Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Open Source Security

Anatomy of a Typosquatting Campaign: How Attackers Pick T...

Real typosquatting campaigns follow a repeatable playbook: target selection, edit-distance tricks, and install-time payloads. Here's how attackers actually pick their targets.

Aug 2, 20257 min read
Open Source Security

Dependency Confusion Attacks Five Years Later: Are Enterp...

Five years after Alex Birsan's $130K dependency confusion disclosure, real attacks like PyTorch's torchtriton incident show the flaw is still live. Here's what's actually fixed.

Aug 2, 20256 min read
Open Source Security

Post-Install Scripts: The Overlooked Execution Point Atta...

Postinstall scripts run automatically on `npm install` with full user privileges—no review required. Here's how attackers exploit them, from ua-parser-js to Shai-Hulud.

Aug 1, 20258 min read
Open Source Security

Credential-Stealing Packages: What They Target and How Th...

Credential-stealing packages harvest env vars, browser passwords, and npm tokens at install time. Here's how ctx, W4SP, and Shai-Hulud actually work.

Aug 1, 20257 min read
Open Source Security

How Package Takeover via Maintainer Account Compromise Ac...

Attackers don't hack npm's servers — they phish or socially engineer maintainers. Here's how account takeover turns trusted packages into malware.

Jul 31, 20257 min read
Open Source Security

Supply Chain Worming: Self-Propagating Malicious Packages...

How the Shai-Hulud npm worm self-propagated across 500+ packages in 48 hours by stealing tokens and republishing itself — and how to stop the next one.

Jul 31, 20257 min read
DevSecOps

Continuous Integration Security: A Checklist

Continuous integration security means treating your CI pipeline as a production system, because an attacker who compromises your CI runner can ship malicious code as easily as your own engineers.

Jul 30, 20256 min read
Open Source Security

Slopsquatting in the AI Era: Registering Packages AI Mode...

AI coding assistants hallucinate package names at rates as high as 19.7% — and attackers are registering those exact names. Here's how slopsquatting works and how to stop it.

Jul 30, 20257 min read
SBOM

Why 'We Have an SBOM' Isn't the Same as 'We Are Secure'

An SBOM tells you what's in your software, not whether it's safe. Here's why inventory alone can't stop supply chain attacks like XZ Utils or SolarWinds.

Jul 30, 20257 min read
SBOM

AI-BOMs: Extending Bill-of-Materials Thinking to Machine ...

AI-BOMs extend SBOM discipline to machine learning models—tracking training data, weights, and lineage. Here's what they contain and why regulators now require them.

Jul 28, 20257 min read
SBOM

Third-Party SBOM Trust: Can You Verify a Vendor's Bill of...

A vendor's SBOM is a claim, not proof. Here's what actually verifies third-party software bills of materials — and why signatures alone aren't enough.

Jul 28, 20258 min read
SBOM

From Inventory to Insight: Turning SBOM Data Into Priorit...

A complete SBOM often surfaces thousands of CVEs. Here's how reachability, exploitability, and business context turn that noise into a prioritized action plan.

Jul 28, 20258 min read
supply-chain-security (Page 80) — Safeguard Blog